1 Firewalling debian.org hosts
2 ============================
4 Debian's own firewalling
5 ------------------------
7 A number of hosts have incoming ssh connections restricted to some subnets.
8 In particular, this includes mirrors, buildds and DSA's gitolite host. To
9 connect to those machines, users can hop through master.debian.org or
13 Third party firewalling
14 -----------------------
16 In Debian we rely on sponsors for providing housing and hosting for all
17 of our infrastructure. As such, we have a lot of our gear spread out
18 all over the world across many different locations.
20 To make our life easier our general preference is that our kind sponsors
21 give us unfiltered internet. That means no firewall, no blocking of any
22 ports or protocols, no blocking of ICMP, no protocol enforcement/cleanup
23 and no state tracking and killing sessions that appear to be idle. We
24 are fortunate that most places are able to provide this.
26 We also acknowledge that sometimes local policies outside of our primary
27 hosting provider requires a less optimal setup (e.g. the Computer
28 Science department hosts our machine but central IT which controls the
29 University's border routers think ICMP is the devil's doing).
31 In these cases we usually ask for the following setup:
33 * allow all outgoing traffic
35 * allow incoming tcp/22 (ssh)
36 * allow all incoming from
37 * bytemark: 5.153.231.0/24
38 * grnet: 194.177.211.192/27
39 * man-da: 82.195.75.64/26
40 * sil: 86.59.118.144/28
41 * ubcece: 206.12.19.0/24
43 * bytemark: 2001:41c8:1000::/48
44 * grnet: 2001:648:2ffc:deb::/64
45 * man-da: 2001:41b8:202:deb::/64
46 * sil: 2001:858:2:2::/64
47 * ubcece: 2607:f8f0:610:4000::/64
48 * ubc: 2607:F8F0:614:1::/64
49 * allow all return traffic on tcp/udp/etc.
51 Extra ports might be required for specific services.
54 Sat, 04 Nov 2017 19:34:24 +0000
projects / mirror / dsa-wiki.git / blob